While I’m writing this, I can quickly do a search based on those explicitly noted as being associated to my company and I can tell you more than 20% of the current employee base has associated themselves with us via the social networking profiles.

Ok, let’s switch perspectives…

A study posted last year found that two major social networking sites were the target of 91 percent of U.S. based phishing attempts last year. Symantec found that 68 percent of the 50 most-frequent potential infections reported by customers involved malware that tried to get access to things like stored usernames, passwords and financial data.

So, the law of probabilities tells us that if you belong to the 20 plus percent of associates that use social networking sites, you would have been exposed to one of these attempts in the past year. Social networking sites have been mostly hit by annoying worm, adware, and phishing attacks. Most of these are automated and not targeted attempts to harvest information. However, even a low level of success to a “You won’t believe this funny video of you” Trojan yields quite a bit of information.

Attacks are now migrating from this widespread approach of malware to some very targeted social engineering attacks. The top social networking sites all offer a means by which a false account can be set up and then request access to a “group” (e.g. your company). Association into that group often provides you with a level of information to begin creating profiles or users or an organization. You then get one (or a few) of the people in that organization to accept you as a connection and you now have more detailed information on those associates and possibly their area of the company. Take it a step further where those associates (and now even a few others) have their privacy settings set rather loosely then you can see information about users to whom you aren’t even explicitly connected to.

A very similar approach was taken on a blog site that users of a particular corporation all used. Someone impersonated an employee, over a matter of a few months established a profile and even had made “friends” with other associates within the company via the site. The person represented themselves as an IT associate and to be working on projects which they had gleaned from other information on the site. Ultimately the user created a web page, utilizing the corporate identity of the company, and set it to seem like a password reset page. They then casually talked up the tool as being a convenient way to set or change passwords and then sat back and let the word spread. A high percentage of site users used the page and thereby compromised their account information. Even after this was exposed, many of the associates, through interaction on the site, truly thought they were dealing with a fellow associate.

Image via Wikipedia

LinkedIn has specifically addressed this kind of false associations by using a “social defense” model. You can’t just randomly send messages to people ala Facebook. To gain access to another site member, LinkedIn requires you to contact someone you both know for an introduction. Thus, a third party has to vouch for you and confirm that you are who you say you are.

What precautions should be taken to limit exposure of information?

Smart password management – Your passwords, everywhere you use them, are important. There is considerable effort put in to protecting the systems which use and govern your passwords at your company. Create strong/complex passwords for systems outside of corporate systems to help keep your information safe. A word of caution here, don’t use the same password for all systems either. Yes it may be very convenient, but this goes to the “weakest link” example. If you use a website that has poor programming or security practices and your name, associations, employment, etc are harvested from that site and you utilize the same password for your bank account, outside email, and your corporate login are now exposed. Also be judicious with the use of password reset tools. Don’t use questions with simple or obvious answers as it makes it quite easy for someone else to guess the information, reset your password, and gain control of your profile. Another article dedicated to this issue alone is in the works.

Utilize the security controls provided by the site – The major social networking sites allow for you to limit who has access to view all or part of your information. I would highly recommend not leaving those settings at default and set everything to the most restrictive view settings possible. In most cases this is a setting which allows “only my friends or connections” to view information on your profile. Therefore you have limited much of the information to people which you have explicitly given permission to view. Be leery of the options to allow “friends of friends” to view information and certainly don’t leave it set to “publically available”

Stick with who you know – While sometimes used in this way, please don’t use social media sites as a popularity yardstick. This often involves accepting invites from complete strangers and inviting any and everyone to be a “friend/contact” so you have a large number of associations. This increases the risk of an indirect attack via email/posting/app as well as targeted attacks as it makes it easier for the anonymous attacker to masquerade as a “friend”.

Limit the amount of personal information you post – Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing. Also be considerate when posting information, including photos, about your connections.

Be skeptical – Don’t believe everything you read online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent; it could be unintentional, an exaggeration, or a joke. Take proper precautions, though, and try to verify the authenticity of any information before taking any action.

Use and maintain anti-virus software – Anti-virus software recognizes most known viruses and protects your computer against them, so you may be able to detect and remove the virus before it can do any damage. Because attackers are continually writing new viruses, it is important to keep your definitions up to date. The newer suites of these software products are often called End Point Protection suites. They include more products that help provide a better overall protection to your system.

The plan we’ve come up with is to remove regional networks completely and create a simpler model for privacy control where you can set content to be available to only your friends, friends of your friends, or everyone.

So what actually happened when you use the current settings that supposedly restricted who could see your content?

Did this not actually work in December? Will it work with the next round of changes?

At least when the most recent programming issue (earlier this month) was discovered that allowed people to see content you had restricted, Facebook reacted quickly, apologized saying it was part of a programming change that has just been pushed out, and make changes to fix the issue. LINK HERE

However that little bit of rebuilding of faith in Facebook has been quickly undermined when you find that the current configuration also LEAKS INFORMATION TO THIRD PARTIES. While Facebook settings allow you to opt out of share information, what does happen is that it passes your username and/or an ID number in the URL to the third party who hosts the add. Having the name or ID allows you to look up the person on Facebook (easily done programatically if you are large advertising company who is looking to harvest information). Which interesting contradicts what Facebook’s VP for Public Policy stated in the New York Times earlier this month.”

However, we don’t provide the advertiser any names or other personal information about the Facebook users who view or even click on the ads. (LINK HERE)

Given the changes in security settings and that they often “default” to what Facebook considers optimal (which I would assume is not optimal for most) and the “oops” factor when they make unintended changes, this leaves the information you may have thought you restricted open for viewing. Since we know that information can have a long life on the Internet, changing the settings after the fact doesn’t pull your information back, it just limits the future leakage.

Do I still have a Facebook profile? For now, yes. But there’s nothing there that isn’t quite public knowledge about me anyway. But I’m definitely part of the 60% of people considering leaving Facebook (only a small sample and definitely more security minded people took it). (LINK) Nevertheless, if some percent of the 400 million users turn, it would send quite a loud message.

Then again, are we expecting entirely too much here? I hate to say it, but this is a social media site. Should we be indigent when we find that information we post on the internet is shared with people we didn’t mean for it to be? I don’t want to absolve any site of it’s responsibility to properly secure the users data, but we put it there!!! To the degree which you can, don’t put things online you don’t want shared with anyone. At least that limits your exposure and the possibility of another issue with Facebook leaking any more information about you than you want.

EXAMPLE: Where were you born? Paste this question into your Facebook status (along with the answer) and tell all your friends where you were born. Ask them to do the same!

Anyone what to guess what one of the most common questions people use for the password reset function on their bank accounts, credit card websites, or email? If you post this information, along with your email, it gives someone most of the critical pieces of information needed to compromise an account.

What about this?

Answer these 10 questions and paste to your status. Tell your friends to do the same and see how much you have in common:

Where were you born?

What is your sign?

What is your favorite color?

What is your favorite food?

What do you do?

What is your favorite movie?

Are you a (insert a sports team name here) fan?

Mac or PC?

Dog or Cat?

If you could go anywhere in the world where would you go?

I attended a presentation lately where this was said “if these people are REALLY your friends, they already know all this”. So please don’t use that as a reason/excuse why you are publicising this information on your Facebook profile. Most people may have technically “friended” you, but are loose social connections at best.

Given the number of changes to the Facebook security settings with the fact most people don’t have this set correctly, you can quickly see where these type of posts give entirely too much information to someone who shares a group with you or is a friend of a friend.

Since your profile already provides your location, maybe birthday, school, email address, etc. One can approximate enough information to figure out where you are and how old. In most locations there are probably 2-3 major banks in an area too. So, one should have enough information to target your online banking account and/or your email account. They aren’t going to have to guess or break your password. They’re going to use all the information they’ve gathered about you to reset your password.

Anyone recall the issue with Sarah Palin’s email being “hacked’? Well “hacked” is giving the guy a bit too much credit. Socially engineered it more appropriate. He simply went to her email service (which was known to be Yahoo), to the password reset function, clicked on it and it prompted him:

“What is your birthday”

“Where did you meet your husband?”

“What is your zipcode?”

If you were to have gone to the governors website at the time, it proudly displayed two interesting pieces of information. She met her Husband Todd in High School and she spent her entire life in Wasilla. Since Wasilla only had two zip codes, it was easy to guess. A simple Wiki search will tell you her birthday.

So since we are not all high-profile public figures with a ton of information about us on the Internet (though if you are, thanks for reading my post!), it’s probably best that we don’t voluntarily put this information out there for anyone to snag.

Here’s my litmus test: Would this be something you’d feel comfortable telling a stranger on the street? Probably not.

Thanks to the guys that really spend a lot of time reviewing social media stuff (specially Tom Eston and Kevin Johnson), they have noted that specifically crafted SPAM messages will show up as a Facebook notification in your Facebook for Blackberry application.

What makes this troublesome from an information protection standpoint is that, the Facebook application is actively scanning your email inbox. In the case of many, many Blackberry users, this is not your personal email, but your corporate email. Of the 13,934,752 monthly active users (according to facebook.com) I’m sure you all read the EULA when you installed the app right? That’s another post…

To be fair, this is how the application is presented to the end user: “Facebook for BlackBerry smartphones allows BlackBerry smartphone users to connect their friends’ profile pictures, Facebook names, and company names to existing BlackBerry smartphone contacts in the Contacts application. Facebook for BlackBerry smartphones updates the caller ID pictures of your synchronized friends with their latest profile pictures.”

So in order to do this, you have full access to contact names. So if you’re on a corporate BES, the information contained therein is your corporate email directory? Uh, yeah. So corporate BlackBerry users with the Facebook app are willingly providing a valid contact list for their entire company. My understanding of SPAM and capitalism is that this is quite valuable information and can be sold to email distribution list providers quite readily. Can someone please point me to the data management policy that protects this information from disclosure? I’d be ecstatic if it existed.

To all the BlackBerry users:

Rather than send out 14,000,000 apologizes, I put it out there now. Sorry. But if you have this app installed on your BlackBerry. Uninstall it. NOW! Do not finish reading this post, uninstall the app and come back to finish the post.

To RIM:

I trust (which is always a bad thing) when you provide a singed application that you have performed a review of how the application performs on your device and that it doesn’t do anything we don’t expect. Like skim our emails and contact information. Much like an application requests permission to utilize your GPS coordinates (which is another bad thing) why would you not have the same request when an application wants access to your personal information and email?

But wait, during the setup there is an option to “allow” access to your messages, calendar, and contacts. First, the statement that it will send a copy of your contacts to the FaceBook site should be alarming enough. But worse yet, it seems that turning all these off during the setup did not affect a SPAM’ers ability to inject a properly crafted email. I infer from this that it still reads emails from your message list. So can I expect it will also send contacts even if I ask it not to?

To all BES admins (you know who you are): (updated May2010)

It appears that RIM may be slightly ad odds with the application developers here. In the 5.0 release of BES, the settings that allow an end user to do this are set to FASLE by default. Which is what I would expect those settings to be. It is my hope at this point that you are running BES 5.0. If so, please make certain the IT policy Disable Organizer Data Access for Social Networking Applications is used. I also understand that this is backwards compatible to BES 4.x installs, so everyone has the opportunity to enable this policy.